2019 North America Roadshow Series: SonicWall Showcases Complete Cybersecurity Portfolio, Capture Cloud Platform

/1 Comment/in /by

As a company 100% committed to the channel, SonicWall has a proud, long-held tradition of putting our partners and customers first. Our 2019 North America Roadshow Series is one of our favorite opportunities to get some direct time with our committed partners and provide exciting and useful information to our customers.

This year, we are continuing our roadshow with remaining events taking place Oct. 1 through Dec. 5 in select cities across North America. We’re taking a unique, targeted approach to this year’s roadshow structure, by having separate dedicated sessions for our SecureFirst Partners, and additional demonstrations, meetings and activities opened up to both our partners and customers.

For SonicWall partners

The roadshow will give SecureFirst partners an exclusive opportunity to learn about the future direction of the company, spend valuable time with SonicWall product experts, and learn new ways to build their business. Partners will also get the opportunity to hear valuable feedback from each other and exchange ideas with their local SonicWall team.

In our partner-only sessions we will cover a variety of topics, including:

  • Introduction to the complete SonicWall portfolio and the Capture Cloud Platform
  • Overview of the newest elements added to the SecureFirst Partner Program
  • SonicWall Overdrive, the Partner Marketing Engine
  • Promotions and incentives
  • Unique insights into SonicWall’s product roadmap

This is an exciting opportunity for our SecureFirst partners to gain insight into our 2019/20 focus areas and go-to-market strategy.

For SonicWall customers

During our roadshow, SonicWall customers will experience an immersive day of practical content, including training and updates, on a variety of valuable areas:

Customers will also get the opportunity to hear valuable feedback from each other and exchange ideas with their local SonicWall team.

We are also delighted to provide meals, entertainment activities and opportunity for business networking during our events, ensuring the day is not only useful, but fun as well. The activities vary for each location. Please check out the registration page for each individual event for more details.

Register now

If you are interested in attending an upcoming roadshow event in North America, please reference the table below and register for a city near you.

DateLocationPartners OnlyPartners & Customers
October 1Los Angeles, CARegistration FullRegistration Full
October 3San Diego, CARegistration FullRegistration Full
October 3Hartford, CTRegistration FullRegistration Full
October 8Montreal, QCRegistration FullRegistration Full
October 8Detroit, MIRegistration FullRegistration Full
October 9Charlotte, NC-Registration Full
October 10Nashville, TN-Registration Full
October 10Raleigh, NC-Registration Full
October 10Pittsburgh, PA-Registration Full
October 16San Jose, CA-Registration Full
October 16Toronto, ONRegistration FullRegistration Full
October 17Sacramento, CA-Registration Full
October 17Phoenix, AZRegistration Full-
October 23Denver, CO-Registration Full
October 24Kansas City, KSRegistration FullRegistration Full
October 24Orlando, FLRegistration FullRegistration Full
October 28Baltimore, MD-Registration Full
October 30Ashburn, VA-Registration Full
November 8Seattle, WA-Registration Full
November 12New York, NYRegistration FullRegistration Full
November 14King Of Prussia, PA-Registration Full
December 5Milwaukee, WI-Registration Full

Please note availability is strictly limited and this event is targeted to the SonicWall SecureFirst partner community.

More partner news

Keep up with partner news from SonicWall by following us on social media and by following our dedicated partner-focused Twitter account: @SNWLSecChannel

Microsoft Security Bulletin Coverage for October 2019

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of October 2019. A list of issues reported, along with SonicWall coverage information are as follows:
CVE-2019-0608 Microsoft Browser Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2019-1060 MS XML Remote Code Execution Vulnerability
IPS 14437: MS XML Remote Code Execution Vulnerability (OCT 19)

CVE-2019-1070 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.

CVE-2019-1166 Windows NTLM Tampering Vulnerability
There are no known exploits in the wild.

CVE-2019-1230 Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1238 VBScript Remote Code Execution Vulnerability
IPS 14438: VBScript Engine Remote Code Execution Vulnerability (OCT19) 1

CVE-2019-1239 VBScript Remote Code Execution Vulnerability
IPS 14439: VBScript Engine Remote Code Execution Vulnerability (OCT19) 2

CVE-2019-1307 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14440: Chakra Scripting Engine Memory Corruption Vulnerability (OCT 19) 2

CVE-2019-1308 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14441: Chakra Scripting Engine Memory Corruption Vulnerability (OCT 19) 3

CVE-2019-1311 Windows Imaging API Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1313 SQL Server Management Studio Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1314 Windows 10 Mobile Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2019-1315 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1316 Microsoft Windows Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1317 Microsoft Windows Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1318 Microsoft Windows Transport Layer Security Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2019-1319 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1320 Microsoft Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1321 Microsoft Windows CloudStore Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1322 Microsoft Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1323 Microsoft Windows Update Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1325 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1326 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1327 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1328 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2019-1329 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1330 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1331 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1333 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 5737: Malformed-File exe.MP.108

CVE-2019-1334 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1335 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14435: Chakra Scripting Engine Memory Corruption Vulnerability (OCT 19) 1

CVE-2019-1336 Microsoft Windows Update Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1337 Windows Update Client Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1338 Windows NTLM Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2019-1339 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1340 Microsoft Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1341 Windows Power Service Elevation of Privilege Vulnerability
ASPY 5734: Malformed-File exe.MP.106

CVE-2019-1342 Windows Error Reporting Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1343 Windows Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1344 Windows Code Integrity Module Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1345 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1346 Windows Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1347 Windows Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1356 Microsoft Edge based on Edge HTML Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1357 Microsoft Browser Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2019-1358 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1359 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1361 Microsoft Graphics Components Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1362 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1363 Windows GDI Information Disclosure Vulnerability
ASPY 5734: Malformed-File exe.MP.107

CVE-2019-1364 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1365 Microsoft IIS Server Elevation of Privilege Vulnerability
ASPY 5736: Malformed-File ttf.MP.28

CVE-2019-1366 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14442: Chakra Scripting Engine Memory Corruption Vulnerability (OCT 19) 4

CVE-2019-1368 Windows Secure Boot Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2019-1369 Open Enclave SDK Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1371 Internet Explorer Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2019-1372 Azure App Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1375 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.

CVE-2019-1376 SQL Server Management Studio Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1378 Windows 10 Update Assistant Elevation of Privilege Vulnerability
There are no known exploits in the wild.

What is Your Disaster Recovery Plan? 5 Core Practices to Ensure Business Continuity

/6 Comments/in , /by

While most of today’s focus is stopping cyberattacks, threats come in many shapes and forms. Being prepared for the unexpected — or the seemingly impossible — should drive your organization to draft, refine and implement a sound disaster recovery and business continuity plan.

On the surface, the idea is simple: prepare for disaster (e.g., hurricanes, earthquakes, fire, snow storms, flooding, etc.) before it happens. Most small- and medium-sized businesses (SMB) don’t devote enough time thinking about disaster recovery (and some enterprises, too), but a “we’ll deal with it when it happens” attitude can mean the end to any company — successful or not.

This level of preparedness is not quick or easy, which can unfortunately lead to irresponsible procrastination. To kickstart your disaster recovery plan — or ensure your current approach is optimized — explore five best practices to help prepare SMBs for worst-case scenarios.

Have a practiced plan in place

It seems obvious enough, but the first component of ensuring business continuity in the face of disaster is to actually have a plan — and then train for it. After any major disaster, people will be under extreme stress and not thinking clearly.

Therefore, it is critical to have a thought-out plan in place that outlines procedures and instructions to follow after a catastrophe. In the business world, this is more commonly referred to as a business continuity plan (BCP).

A BCP coordinates the efforts of all teams (e.g., communications, security, IT, HR, finance, engineering, supply chain, etc.) and helps identify leaders, manage assets and maintain customer expectations. Training and simulations are required to successfully implement a plan; without them, it’s just a piece of paper.

Ensure data is accessible

Network access may not be available after a disaster. The best efforts will have gone to waste if the disaster recovery plan is on a network drive or internal computer that no one can reach.

The same goes for email access. If a company maintains an on-prem secure email server and connectivity is down, communication will be handicapped. A popular solution is to have email and data repositories in the cloud.

Another scenario could be that connectivity is down only to the main site, but a secondary site is available which people don’t know how to reach. For example, a SonicWall Secure Mobile Access (SMA) appliance will make remote access transparent as it will automatically set up a VPN to the closest online site and reroute access as needed.

Build communications options

The ability to communicate effectively with your team, company leaders, customers, vendors and partners has a direct correlation to how quickly a company recovers from a disaster.

Email is the main form of communication in all companies, but this may not be available. As a backup, use social media to coordinate efforts. Applications like Teams, Slack and WhatsApp are good options for coordinating with internal groups. Twitter and the company website also can be used for public communications.

Maintain cyberattack awareness

While cybersecurity awareness should be practiced at all times, it’s critical to be even more vigilant during times of disaster.

Cybercriminals are opportunistic and will launch targeted attacks (e.g., phishing campaigns, ransomware attacks) at areas, regions, companies or organizations looking to either take advantage of those trying to help or hoping the chaos has caused targets’ guards to drop.

Sadly, many non-profit organizations, including the Red Cross, FEMA, FCC and more, are forced to issue repeated scam warnings during disasters. Should one of these attacks compromise an employee or partner, it may be a pathway into your network. If the proper network security firewalls and secure email controls are not already in place, it only takes one click to breach a network or infect a machine.

Some basic best practices will protect users during times of disaster and ensure that contingency networks and access are protected, including two-factor authentication (2FA) or multifactor authentication (MFA), and next-generation antivirus (NGAV) or endpoint protection, such as SonicWall Capture Client.

Together, these will help validate a user’s identity even if his/her credentials are compromised and prevent malicious files from being executed and installed on company machines in the case of infection.

Prepare now

A proper disaster recovery and business continuity plan should not be put off. A catastrophic event or natural disaster could cause far more damage to your business, customers, employees and brand than a proactive, responsible investment in sound cybersecurity, redundant networks and failover controls.

Preparing for disaster not only helps safeguard you during times of crisis, but the same controls will likely protect your networks and data during everyday cyberattacks (e.g., ransomware, email attacks, encrypted threats, insider threats and other malicious threats) against your organization.

OBFUSCATED JAVASCRIPT BEING USED BY WSHRAT V2.0

/in /by

SonicWall RTDMI engine has been detecting obfuscated JavaScript malware files since last two weeks. After analysis, we found that these files belong to WSHRAT malware family. Archive file carries the WSHRAT JavaScript file shown below:

Background:

WSHRAT was first spotted in the wild in year 2013, since then it has been periodically upgrading its Remote Access Trojan (RAT) capabilities. The current version is 2.0, this version information is present in the RAT itself. The programming language used by this malware separates it from other RATs because it has been completely written in JavaScript. The malware has been also written in VBScript.

 

RAT Capabilities:

  • Installing, uninstalling and upgrading itself
  • Key logging and stealing passwords
  • Downloading, uploading and executing files
  • Remote desktop access
  • Executing various commands and sending data to the Command and Control (C&C) server.
  • Reversing proxy
  • Browser’s log stealing
  • Process enumeration and termination
  • USB drive infection

 

Persistence:

WSHRAT copies itself in the Startup folder and makes Run entry in the registry. It uses “%temp%\wshsdk\” directory to install its components.

 

Network:

WSHRAT collects and sends system information to its Command and Control (C&C) server. It uses “|” as separator while sending information to the C&C server.

 

C&C Communication:

WHSRAT supports large number of commands which are listed below.

 

Command Action
disconnect Terminates itself
reboot Reboots the system
shutdown Turns the system off
execute Executes the command using “eval” function
install-sdk If %temp%\wshrat\python.exe file is present, malware sends status “SDK+Already+Installed” else downloads wshsk.zip from “hxxp://2813.noip.me:2813/moz-sdk”. Malware extracts downloaded file into %temp%\wshrat and sends SDK+Installed” message to the C&C server.
get-pass Retrieves and sends specified browser’s passwords to the C&C server.
get-pass-offline Retrieves and send all installed browser’s passwords to the C&C server.
Update Downloads and executes latest JavaScript file from the C&C server.
Uninstall Deletes all the registry entries, Startup entries and all file system traces related to WSHRAT and terminates the execution of malware.
up-n-exec Downloads and executes the specified executable file from the C&C server.
bring-log Sends specified log file to the C&C server.
down-n-exec Downloads and executes the specified executable file from the specified URL.
filemanager Downloads executable file from specified URL and saves it as “fm-plugin.exe”. The malware executes downloaded file with parameters “m-plugin.exe 2813.noip.me 2813 \{Gathered Information}”
rdp Drops rd-plugin.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “rd-plugin.exe 2813.noip.me 2813 \{Gathered Information}\ true (is_offline_flag)”
rev-proxy Drops rprox.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “rprox.exe 2813.noip.me 2813 {filearg}”
exit-proxy Terminates rprox.exe process.
keylogger Drops kl-plugin.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “kl-plugin.exe 2813.noip.me 2813 \{Gathered Information}\ false (is_offline_flag)”
offline-keylogger Drops kl-plugin.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “kl-plugin.exe 2813.noip.me 2813 \{Gathered Information}\ true (is_offline_flag)”
browse-logs Enumerates “wshlogs” directory and sends collected information to the C&C server.
cmd-shell Executes specified command on “Command Shell” and sends the output to the C&C server.
get-processes Enumerates running processes using WMI query (select * from win32_process) and sends process names, process ids and executable paths to the C&C server.
disable-uac Modifies values of EnableLUA, ConsentPromptBehaviorAdmin and DisableAntiSpyware registry keys. The malware acknowledges changes to the C&C server by sending “UAC+Disabled+(Reboot+Required)” message.
check-eligible If specified file present in the system, malware sends “Is+Eligible” message to the C&C server, otherwise it sends “Not+Eligible”.
force-eligible If specified file present in the system, malware executes the file with specified parameters and sends “SUCCESS” message to the C&C server, otherwise it sends “Component+Missing” message.
elevate If the malware is not elevated already, it restarts itself with elevated privileges and sends “Client+Elevated” message to the C&C server.
if-elevate If the malware is elevated, it sends “Client+Elevated” message to the C&C sever otherwise sends “Client+Not+Elevated” message.
kill-process Terminates process attached with specified process id.
sleep Performs sleep operation for the specified time.

 

Evidence of the detection by RTDMI engine can be seen below in the Capture ATP report for this file:

 

Additional Remark:

Please note that the RTDMI engine analyzed and gave us a verdict for these samples as ‘Malicious’ on September 13, 2019 as visible in the report:

Whereas these samples (both the zipped and unzipped versions) were first seen on Virustotal 3 days later – on September 16, 2019 – as evident by the ‘First Submission’ date:

Dridex Malware evading detection using delaying techniques

/in /by

SonicWall Capture Labs Threats Research Team has spotted Dridex malware attacks in the wild. This malware is delivered through phishing emails.

Dridex is an info stealer which tries to steal credentials such as ComputerName, RunningProcess and System Information and send this information to C&C server. Dridex malware is famous for using different technique for encoding and obfuscating data. In this case it uses below technique for delaying the actual execution of the payload.

Infection Cycle

After few instructions from the EntryPoint it calls a function sub_FB2C78 containing the loop which calls OutputDebugStringW by passing  “Installing…\n” as string and then calls Sleep API for 10 millisecond. The loop is iterated 199999100 * 4987 times.


Fig 1

During the course of execution this function is called four times and it also calls NtDelayExecution API,
so as to defeat the sample automation as well as sandbox which rely on specific timeout for analyzing the malware activity.


Fig 2

Using FindFirstFileExW and FindNextFileW APIs  it searches  %system32% directory for *.dll. When it finds the required DLL it uses NTDLL_LdrLoadDll native APIs to load it.

For system profiling it calls the below APIs

  • Process Token Access
  • OpenProcessToken
  • GetTokenInformation
  • AllocateAndInitializeSid
  • EqualSid
  • FreeSid
  • RtlQueryElevationFlags
  • GetSystemInfo

It uses Registry related APIs such as SHRegDuplicateHKey, RegEnumKeyW, RegEnumValueA. Also, it checks values of the key below:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

“ConsentPromptBehaviorAdmin”

“ConsentPromptBehaviorUser”


Fig 3

These values are used for checking the Administrative privileges.

It enumerates the below registry key to get the list of software installed on the system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall


Fig 4

The malware calls several API functions to collect information such as Windows version information, system and CPU information.

It also collects the names of the running processes and encrypts all the information before sending it to the remote server.


Fig 5

It uses GetComputerName and GetEnvironmentVariableW APIs to find the ComputerName and UserName respectively. Which is then concatenated and uses CryptAcquireContextW(), CryptCreateHash(), CryptHashData() and CryptGetHashParam() API calls to generate the MD5 of it.Which is then used to create the Mutex.


Fig 6

Network Activity

The server list is hardcoded in the unpacked executable file:

    • 104.247.221.104:443
    • 198.199.106.229:5900
    • 92.222.216.44:443

Using InternetOpenA, InternetConnectA,  it tries to connect to one of the server on the mentioned port in the list with NULL field in the Username and Password field.

It uses HttpOpenRequestW API  with lpszVerb  ‘POST’ and  lpszObjectName with ‘/’ for creating HTTP request handle.

While writing the blog the sample tried to establish secure connection with only one of the IPs mentioned above:


Fig 7

 

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • MalAgent.GR (Trojan)

Indicators of Compromise:

  • d013d1ba2fd45429ed679504f5ce6c9a

LOCKID Ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of LOCKID ransomware [LOCKID.RSM] actively spreading in the wild.

The LOCKID ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • % App.path%\ @_READ_TO_RECOVER_FILES_@
      • Instruction for recovery

Once the computer is compromised, the ransomware runs the following commands:

 

The ransomware encrypts all the files but it won’t change the extensions.

Here is an example (Eula.txt Original Content):

Here is an example Encrypted file:

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LOCKID.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Steam – Rust Trainer, DGA & Miner Found

/in /by

Overview:

SonicWall Capture Labs Threat Research Team, recently found a unique Domain Generation Algorithm (DGA) inside a uniquely named file called “Rust Trainer.exe” the sample goes along with the Steam, PC Game called “(RUST)”. The file is deceptively named for use in cheating and creating hacks for the online multiplayer game. However, once executed the file only starts the infection. Injection starts in “svchost.exe”, after injection the sample will start creating domains on the fly. The domain generation algorithm involved in this sample will generate 172 Million Domains. The sample has the ability to look for and install new Coin Mining Software along with an array of other abilities.

Objective of the game:

The only aim in Rust is to survive.

To do this you will need to overcome struggles such as hunger, thirst and cold. Build a fire. Build a shelter. Kill animals for meat. Protect yourself from other players, and kill them for meat. Create alliances with other players and form a town.

Do whatever it takes to survive.

The developers describe the content like this:

This Game may contain content not appropriate for all ages, or may not be appropriate for viewing at work: Nudity or Sexual Content, Frequent Violence or Gore, General Mature Content

Sample Static Information:

Anti-Debugging Techniques Used:

Process Checking – This sample will locate many different processes used in the reverse engineering process. If one of the items is found, it will terminate and delete that process. Along with remove all files associated with that process.

Anti-Debug Cluster – This cluster of Anti-Debugging tricks is absurd. However, it works quite well. To bypass it you will need to have the proper plugins and edit a few areas of the process execution to bypass it. Once bypassed, you can enter into the DGA starting routine.

Standard XOR, TLS Encryption & Decryption:

TLS functions are used inside the Cryptor to decrypt the first quarter of the PE Binary. Once decrypted it will check the associated program directory for a file named “old_filename.exe” If the file is found the Cryptor will go to stage 2 and decrypt the rest of the file. A trick that can be used here would be to put a break point on “CreateProcessA” then follow inside a second debugger for the stage 2 decryption. Once you reach stage 2 you can start analysis of the malware.

OEP Byte Structure:
Original:
C1 78 15 37 91 21 A1 B0 94 F0 98 21

1st decryption:
55 89 E5 C6 05 D0 51 41 00 01 68 D0

2nd decryption:
55 89 E5 53 B8 10 33 45 00 50 E8 51

Understanding the DGA:

Domain generation algorithms are seen in various families of malware. They normally generate large numbers of domain names. Usually, only a handful of domains or one domain are active at a time. This connect back feature allows connections back to their command and control server and/or bot master themselves. Here we see (www.) being added to the random domain generated from the mersenne twister pseudo-random number generator described below and after its generation it adds (.com) to it’s string completing the domain name generation:

Domain Character Generation:

Our character arrays length is: 0x3Eh or 62d, the first element is not indexed and it’s only use is for the length of the array.
>iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf
The mersenne twister algorithms output will be used as an index into this character array.

Pseudo Random Number Generator Information:

Generating good random numbers in software is a complex topic. Software-based random number generators can never generate truly random numbers and are therefore called pseudo-random number generators because they rely on mathematical formulas to give the impression of randomness. The pseudo-random generator in this file is known and called by the Mersenne Twister algorithm. This algorithm has been around since 1997. The implementation of the pseudo-random number generator (PRNG)MT19937, is called the Mersenne Twister it was given it’s name because it has a period of 2^19937 – 1, which is a Mersenne Prime number. Also, it’s the size in bits of the Twister’s engine internal state.

Range Distribution, is from 0x00 to 0x3E:

Mersenne Twister Initialization:

Mersenne Twister Twist Function:

Seed Generation:

You need to initialize the random number generator above. This is also called seeding the random number generator. Most default applications of seeding use the current system time as a seed. This file uses “GetTickCount” which is defined as: (Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days. This function will also wrap around back to zero after 49.7 days have past and start the counting again up to 49.7 days).

You need to make sure that you use a good quality seed for your software-based random number generator. If you initialize the random number generator with the same seed every time, you will create the same sequence of random numbers every time. This is why the seed is usually the current system time. The malware author wants unique random numbers.

Get Seed:

Domains Generated By Algorithm Above:

Using the (n choose r algorithm) to figure out all combinations of indexes into the character array we get a total of 107,518,933,731 index combinations or possible domain names. However, if we divide that by 625 we get the amount of seed values possible from the use of (mersenne twister algorithm and GetTickCount) which is a total of 172,030,293.97. About 172 million possible seed values. Meaning, the algorithm above can only generate one domain name per seed value. That would be 172 million total domains possible if my math is correct. A quick 50 domains are below:

www.yIGntVEPMH.com
www.MGtoYca5Mc.com
www.f0VrN4HH6A.com
www.HL3aPxMS3Y.com
www.wsJjcWQQYi.com
www.QS41X9DIxP.com
www.pNMfQfCMcc.com
www.VWG3uvAFJ5.com
www.xuOEZYTq59.com
www.cO4FBGST1R.com
www.oP3S64bPio.com
www.m6tdbpSTqx.com
www.Mku7nd9aSV.com
www.ba68B1FWwi.com
www.wu8wZ0WHFw.com
www.mXuLDj22ZO.com
www.7lR8sv2HQz.com
www.XIvUqahVFC.com
www.O34IJTfFR3.com
www.9JCjV8tO20.com
www.ObWas8qSis.com
www.WXtFl7etTS.com
www.nFl3bgOHQi.com
www.RDuJLlThUt.com
www.JKY80bY34O.com
www.L1ECJ8EqTy.com
www.nFabIyFbU1.com
www.tLuxaXTSmY.com
www.C8BmA1rt9B.com
www.aR2jHV5Iug.com
www.bU53t9Fvpn.com
www.n3D2ett5DN.com
www.Nc3YLZ5nJA.com
www.qIWoeTCg4A.com
www.N3kVqjPXhz.com
www.vSSYJhcCH0.com
www.KXIOLfXc25.com
www.mPKrYCjfMC.com
www.9rVoNSyQxj.com
www.MyCgdkNVSO.com
www.dqi0XrnSTS.com
www.LYgzgyT2pi.com
www.SRbXhfgCyW.com
www.i9l8ExEEzi.com
www.646C1ofLE2.com
www.Bi3R8QqOMo.com
www.VKE5kAXBig.com
www.8hRjtIsupm.com
www.YgCYcX8iux.com
www.enJZpDk1yv.com

Coin Mining:

Other Related Strings:


Process Injection:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Rust.DGA

Cyber Security News & Trends – 10-04-19

/0 Comments/in /by

This week, it’s National Cybersecurity Awareness Month! Own IT. Secure IT. Protect IT.

SonicWall Spotlight

National Cybersecurity Awareness Month Focuses on Protecting Digital Identities, Being Accountable for Online Safety SonicWall Blog

  • It’s the 16th annual National Cybersecurity Awareness Month! SonicWall has so much planned to go along with these year’s theme: Own IT. Secure IT. Protect IT. Have you entered our competition? Keep your eyes peeled for more, we’re going to have one each week.

SonicWall Deutschland Twitter account launches

  • We’re delighted for the launch of our new German language Twitter account! Follow it to keep up with the latest German SonicWall and cybersecurity news.

WATCH: CEO killer question with SonicWall – Channel Partner Insight

  • SonicWall CEO Bill Conner has only 50 seconds to answer the question – “What security capabilities are his partners not taking advantage of?” How does he do? Watch and decide for yourself.

SonicWall EMEA SecureFirst Partner Roadshow Series in South Africa – SonicWall Blog

  • The SonicWall EMEA SecureFirst Partner Roadshow Series hit South Africa and Spain including dates in Johannesburg and Durban. Will we be hitting your city next? Check out our schedule.

SonicWall Solution Center at the University of Pisa

  • Antonio Cisternino and proud SonicWall customer Università di Pisa, home of one of the only campus-based SonicWall Solution Centers in Europe, hosted SonicWall CEO Bill Conner at a special cybersecurity session. Students had the opportunity to learn about new cyber threats such as side-channel attacks and how to tackle them using SonicWall RTDMI.

Cybersecurity News

U.S. Government Confirms New Aircraft Cybersecurity Move Amid Terrorism Fears – Forbes

  • The Department of Home Security in the United States confirmed it is taking actions to protect citizens from cyberattacks targeting aviation. Acknowledging that modern aircraft are essentially flying data centers, the plan is related to the cybersecurity defenses currently being implemented on critical infrastructure like the power grid.

New Malware Campaign Targets US Petroleum Companies – Dark Reading

  • A sophisticated malware campaign is currently targeting US petroleum companies. Analysis of the malware shows that it uses multiple embedded JAR archives to hide the final payload, itself containing multiple execution processes. In one study, only five out of 56 anti-virus tools used to analyze the malware successfully detected it.

America Launches New Cybersecurity Directorate – InfoSecurity Magazine

  • America’s National Security Agency has launched a new organization, The Cybersecurity Directorate, aimed with unifying existing programs under one roof. By launching the new directorate, the NSA hopes to strengthen the cyber-shield protecting the country’s national security systems and critical infrastructure from threat actors.

Malware Infection Disrupts Production at Defence Contractor Plants in Three Countries – ZDNet

  • Rheinnmetall, one of the biggest defense contractors in the world, suffered a major cyberattack on its network that caused “significant disruption” at plants in Brazil, Mexico and the US. The company expects the long-term effects of the attack to run into tens of millions of euro.
And Finally:

Pace University’s Cybersecurity Day Features K-9 Demo News 12 Westchester

In the world of truly analogue cybersecurity, Pace University’s Labrador Harley is an unexpected tool for fighting cybercrime.

In Case You Missed It

National Cybersecurity Awareness Month Focuses on Protecting Digital Identities, Being Accountable for Online Safety

/1 Comment/in /by

The 16th annual National Cybersecurity Awareness Month (NCSAM) begins today, but this year with a new emphasis: you.

Every October, the National Cyber Security Alliance collaborates with the Cybersecurity and Infrastructure Agency (CISA) to launch the month-long campaign to highlight new or emerging cyber threats against people and organizations, and provide tips and best practices to stay safer online.

The 2019 movement, “Own IT. Secure IT. Protect IT.”, highlights the fact that each and every online user, SMB and business should practice personal accountability and proactive behavior in today’s digital landscape.

During the next month, SonicWall cybersecurity experts will examine each of the three themes and explore key aspects of living and doing business in a modern, hyper-connected world.

Own IT.

  • Staying safe on social media
  • Update privacy settings
  • Best practices for device applications

Secure IT.

  • Create strong, unique passphrases for passwords
  • Turn on multi-factor authentication (MFA) or two-factor authentication (2FA) for various sites, services and applications
  • Shop safe online
  • How to spot and avoid email threats like phishing, smishing, vishing, business email compromise (BEC), etc.

Protect IT.

  • Ensure your software, web browser and operating systems are patched regularly
  • Guidance secure Wi-Fi and wireless
  • Keeping customer/consumer data and information safe

About NCSAM

National Cybersecurity Awareness Month was launched by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) in October 2004 as a broad effort to help all Americans stay safer and more secure online. Following wide success of the ‘Our Shared Responsibility’ theme in years past, CISA and NCSA have shifted strategic focus to a message that promotes personal accountability.

To learn more about NCSAM, please visit StaySafeOnline.org.

New variant of Adwind RAT is active in the wild

/in /by

SonicWall Capture Labs Threat Research team spotted a new variant of adwind RAT, a cross-platform, multi-functional malware also known as JRAT that silently steals system information and credentials from the infected machines.

This phishing campaign targets commercial industries with a message crafted to look like a legitimate vendor and with an attachment “Remittance advice.pdf”. But there is no real attachment, just a clickable image embedded at the top of the mail, made to look like a PDF file attachment. When user clicks on the image, it takes the user to the malicious website that drops the initial payload, “Remittance_Advice_HEAD0000I00231_pdf.jar”. The payload is a malicious Java archive (.JAR) file but attacker has made it look like a PDF by hiding it’s true extension.

It’s just an image with an embedded hyperlink not an actual attachment

Based on the information from the Urlscan.io, this malicious jar payload is available on the below websites since September 25th.

 

Once executed, it connects with the Command & Control Server, downloads more payloads, installs dependencies and starts harvesting system information and user credential.

It tries to find the external IP address of the infected machine through “http://bot.whatismyipaddress.com”

JAR file executes the below shell command to change the default code page format to 1252 by calling CHCP (Change Code Page utility) and later executes the PowerShell command.

It drops the below executables into the temp directory:

  • sqlite-3.8.11.2-f1c6f213-9b29-4f05-8db4-69507f2eee1b-sqlitejdbc.dll
  • jna990208984750515170.dll

It starts stealing user credential and configuration information by querying various applications path.

This variant must be from the same attacker group that targeted National grid utilities last month as there are similarities in the email message and the payload format.  In the previous campaign, JAR file executes VB script but this campaign uses PowerShell script. 

It seems very active in the last few days but not many security vendors detect this at the time of writing this article.

 

The Java archive has 212 class files and they are heavily obfuscated.  It is then decompiled using Procyon decompiler, 177 class files are found to be obfuscated and the remaining files are encrypted using the AES encryption algorithm.  We manually deobfuscated the code to retrieve the encryption details. 

It uses the AES-128 symmetric encryption algorithm. We  retrieved the code below that creates the cipher object with the AES key. This object shall be used to decrypt the encrypted JAR file contents. 

 

VirusTotal Threat Graph:

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signatures:

  • GAV 1383 Adwind.J1
  • GAV 9359 Adwind.KM_3
  • GAV 9358 Adwind.KM_2
  • GAV 28381 Adwind.FMAE_12
  • GAV 29093 Adwind.FMAE_11
  • GAV 28975 Adwind.FMAE_10
  • GAV 29046 Adwind.A_4
  • GAV 21749 Adwind.FMAE_5
  • GAV 35919 Adwind.AG
  • GAV 23867 Adwind.H_11
  • GAV 19558 Adwind.Z_24
  • GAV 19490 Adwind.Z_11
  • GAV 33012 Adwind.V_3

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Indicators of Compromise (IOC):
Sha256:
  • 6e8cf485eacacfc00e3dcb5049c6c49230f8f845949ef24794eb457e0a27b7fc
  • 25ab334bfbc9c5ffc7e2223338c25a50124386b600582074ec65148c74ee4e32
  • 5d0829452303936130c6cd126aa11460c334908c6220e3f833e6d301e51df1e3
  • 28ef8087d1ed5e15a072029e6a910f42f41c8953a75d064182801d63d04dad06
  • 3877128c64e2c4f66f6f3ef6f6b1a46054a2c7ee56ec73a67230fabdeb75808e
  • c2b94a3cdaa2f32919d7a8486403a53ef73f521723b2ba69764a961b2e63cfe5
URL:
JAR Payload gets downloaded from the below URL’s
  • kalemimintelvesi.com
  • osixresort.com
  • midc-ict.com
  • fatacosmetics.com
  • tricascadetech.co.uk

IP:

167.71.62.108:80